nzyme    Download

Nzyme v2.0.0-alpha.15 has been released

Project
November 1, 2024

Next up: alpha.15, bringing a lot of new features as the WiFi subsystem is nearing completion.

Changelog

  • New Feature: Transparent Context
  • New Feature: Alert on newly discovered WiFi networks
  • New Feature: Alert on new client connected to a monitored WiFi network
  • New Feature: Alert on sensitive probe requests
  • New Feature: WiFi and General Overview Pages/Dashboards
  • New Feature: Ability to enable/disable entire subsystems for system, organizations and tenants
  • New Feature: Bluetooth device details page (Bluetooth subsystem is experimental)
  • New Feature: Bluetooth device tagging and tags for Apple FindMy devices (Bluetooth subsystem is experimental)
  • New Feature: Bluetooth device OUI/vendor enrichment (Bluetooth subsystem is experimental)
  • Improvement: Ability to set a default organization and tenant
  • Improvement: Alert and health indicator status in sidebar
  • Improvement: Bootstrap Test Mode
  • Many bugfixes and smaller improvements

New Feature: Transparent Context

When analyzing network data, whether it’s Ethernet or WiFi, you often have access only to lower-level information embedded within frames or connections. Typically, this includes details like MAC or IP addresses, but not hostnames.

Nzyme now enriches MAC and IP addresses with associated hostnames whenever possible. It achieves this by leveraging recorded DHCP and ARP traffic alongside local reverse DNS queries. This enriched data is then seamlessly integrated into the nzyme Context system and displayed throughout the web interface.

nzyme Screenshot
An enriched WiFi client MAC address.

This enrichment capability works across subsystems. For instance, if you’re collecting both WiFi and Ethernet traffic, you’ll also see hostnames for WiFi clients.

New Feature: Alert on newly discovered WiFi networks

Monitoring SSIDs (wireless network names) in range provides situational awareness, allowing you to manually verify that no potentially malicious networks are nearby—especially those that similar-sounding or restricted SSID monitoring might miss. It also enables you to detect new, unexpected networks, such as a printer automatically starting its own network for device adoption, or unauthorized mobile hotspots which could introduce vulnerabilities without your knowledge.

Nzyme can now alert on newly discovered SSIDs that persist for a specified dwell time.

nzyme Screenshot
Approved SSIDs.

You can learn more about SSID monitoring the Knowledge Base.

New Feature: Alert on unapproved client connected to a monitored WiFi network

Similar to SSID Monitoring, you can now alert on any unapproved clients connecting to a monitored network.

A difference to SSID monitoring is that client monitoring always happens in the scope of a monitored network, meaning that it alerts on clients that are observed as connected to any BSSID that is part of the configuration of a monitored network.

nzyme Screenshot
Approved clients connected to a monitored network.

There are more details available in the documentation.

New Feature: Alert on sensitive probe requests

Probe requests are frames sent by WiFi devices to discover nearby networks. When a device isn’t connected to WiFi, it periodically sends these requests, containing its MAC address and sometimes a preferred network’s name (SSID). Nearby access points respond, helping the device identify and connect to networks.

In certain situations, monitoring probe requests can help prevent privacy issues and data leaks. We have listed some scenarios in the Knowledge Base.

You can now configure nzyme to alert you when it records certain probe requests.

New Feature: WiFi and General Overview Pages/Dashboards

Previously placeholders, the WiFi and general overview pages are now populated with data and widgets based on your user permissions.

nzyme Screenshot
The general overview page.
nzyme Screenshot
The WiFi overview page.

New Feature: Ability to enable/disable entire subsystems for system, organizations and tenants

Nzyme currently includes three subsystems:

  • Ethernet
  • WiFi/802.11
  • Bluetooth (Experimental)

Starting with this release, subsystems can be enabled or disabled at the level of the entire nzyme cluster, individual organizations, or specific tenants. A disabled subsystem will automatically reject data from taps and will be hidden across the entire web interface until re-enabled.

nzyme Screenshot
Enabling and disabling subsystems from the web interface.

New Bluetooth Features

The experimental Bluetooth subsystem in nzyme received some additional features and improvements:

Bluetooth device details page

Each discovered Bluetooth address can now be analyzed in more detail on the corresponding details page.

nzyme Screenshot
Bluetooth device details page.

Bluetooth device tagging and tags for Apple FindMy devices

Nzyme now automatically identifies and tags Bluetooth advertisements whenever possible. The first tagger in this system detects Apple FindMy devices, including AirTags, and indicates their current pairing state.

Bluetooth device OUI/vendor enrichment

Automatic OUI and vendor information enrichment for Bluetooth addresses is now available and applied when the nzyme cluster is connected to nzyme Connect.

Improvement: Ability to set a default organization and tenant

It is best practice to use tenant users for day-to-day use of nzyme. However, we recognize that there are exceptions, and we always aim to streamline actions in the web interface. Previously, users had to manually select an organization and tenant for such actions if multiple options were available.

nzyme Screenshot
Selecting a default tenant and/or organization.

Now, each user can set a default organization and/or tenant in their profile settings.

Improvement: Alert and health indicator status in sidebar

The web interface sidebar is now clearly indicating when there is an active alert or triggered system health indicator.

nzyme Screenshot
The alerts page is highlighted, indicating an active alert.

Improvement: Bootstrap Test Mode

To help with debugging, you can now start nzyme-node in a special bootstrap test mode that will print all logging output to the foreground of your terminal (STDOUT) and exit after a successful start of the system. Learn more in the documentation.

New Packages for Ubuntu 24.04 LTS (Noble Numbat) and Raspberry Pi OS 12 (Bookworm)

We are now building and providing official nzyme-node and nzyme-tap packages for Ubuntu 24.04 LTS (Noble Numbat) and Raspberry Pi OS 12 (Bookworm).

Download & Upgrading

All packages are available for download on the downloads page. Upgrading is easy. Please follow the release notes on the downloads page.

New installations should follow the installation documentation.

How can I help?

You are some of the first users to try out nzyme v2.0.0, and we are looking for any kind of feedback:

  • What didn’t work, what bugs did you experience?
  • What was confusing or seemingly unnecessarily complex?
  • What is missing?
  • What do you think should be changed?

Again, this is an early release and no feelings will be hurt.

You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback or ask questions.

Avatar
Author
Lennart Koopmann

  RSS Feed

You can subscribe to the nzyme blog using our RSS feed.
Follow Us